Fixed Invoke-Obfuscation command token error during agent negotiation process
parent
4c8495144d
commit
76f1e85375
|
@ -795,10 +795,8 @@ def obfuscate(psScript, obfuscationCommand):
|
||||||
toObfuscateFile = open(toObfuscateFilename, 'w')
|
toObfuscateFile = open(toObfuscateFilename, 'w')
|
||||||
toObfuscateFile.write(psScript)
|
toObfuscateFile.write(psScript)
|
||||||
toObfuscateFile.close()
|
toObfuscateFile.close()
|
||||||
|
|
||||||
# Obfuscate using Invoke-Obfuscation w/ PowerShell
|
# Obfuscate using Invoke-Obfuscation w/ PowerShell
|
||||||
subprocess.call("powershell 'Invoke-Obfuscation -ScriptPath %s -Command \"%s\" -Quiet | Out-File -Encoding ASCII %s'" % (toObfuscateFilename, convert_obfuscation_command(obfuscationCommand), obfuscatedFilename), shell=True)
|
subprocess.call("powershell 'Invoke-Obfuscation -ScriptPath %s -Command \"%s\" -Quiet | Out-File -Encoding ASCII %s'" % (toObfuscateFilename, convert_obfuscation_command(obfuscationCommand), obfuscatedFilename), shell=True)
|
||||||
|
|
||||||
obfuscatedFile = open(obfuscatedFilename , 'r')
|
obfuscatedFile = open(obfuscatedFilename , 'r')
|
||||||
# Obfuscation writes a newline character to the end of the file, ignoring that character
|
# Obfuscation writes a newline character to the end of the file, ignoring that character
|
||||||
psScript = obfuscatedFile.read()[0:-1]
|
psScript = obfuscatedFile.read()[0:-1]
|
||||||
|
@ -820,13 +818,13 @@ def obfuscate_module(moduleSource, obfuscationCommand="", forceReobfuscation=Fal
|
||||||
f.close()
|
f.close()
|
||||||
|
|
||||||
# obfuscate and write to obfuscated source path
|
# obfuscate and write to obfuscated source path
|
||||||
|
obfuscatedCode = obfuscate(psScript=moduleCode, obfuscationCommand=obfuscationCommand)
|
||||||
obfuscatedSource = moduleSource.replace("module_source", "obfuscated_module_source")
|
obfuscatedSource = moduleSource.replace("module_source", "obfuscated_module_source")
|
||||||
try:
|
try:
|
||||||
f = open(obfuscatedSource, 'w')
|
f = open(obfuscatedSource, 'w')
|
||||||
except:
|
except:
|
||||||
print color("[!] Could not read obfuscated module source path at: " + obfuscatedSource)
|
print color("[!] Could not read obfuscated module source path at: " + obfuscatedSource)
|
||||||
return ""
|
return ""
|
||||||
obfuscatedCode = obfuscate(psScript=moduleCode, obfuscationCommand=obfuscationCommand)
|
|
||||||
f.write(obfuscatedCode)
|
f.write(obfuscatedCode)
|
||||||
f.close()
|
f.close()
|
||||||
|
|
||||||
|
|
|
@ -404,7 +404,6 @@ class Listener:
|
||||||
|
|
||||||
if obfuscate:
|
if obfuscate:
|
||||||
randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand)
|
randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand)
|
||||||
print randomizedStager
|
|
||||||
# base64 encode the stager and return it
|
# base64 encode the stager and return it
|
||||||
if encode:
|
if encode:
|
||||||
return helpers.enc_powershell(randomizedStager)
|
return helpers.enc_powershell(randomizedStager)
|
||||||
|
|
|
@ -128,7 +128,7 @@ http://www.danielbohannon.com
|
||||||
# Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions.
|
# Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions.
|
||||||
$ObfuscationTypeOrder += 'Comment'
|
$ObfuscationTypeOrder += 'Comment'
|
||||||
# Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings.
|
# Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings.
|
||||||
# $ObfuscationTypeOrder += 'String'
|
$ObfuscationTypeOrder += 'String'
|
||||||
$ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count)
|
$ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count)
|
||||||
|
|
||||||
# Apply each randomly-ordered $ObfuscationType from above step.
|
# Apply each randomly-ordered $ObfuscationType from above step.
|
||||||
|
@ -691,11 +691,35 @@ http://www.danielbohannon.com
|
||||||
default {Write-Error "An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation."; Exit}
|
default {Write-Error "An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation."; Exit}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Evenly trim leading/trailing parentheses.
|
# Evenly trim leading/trailing parentheses.
|
||||||
While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')'))
|
While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')'))
|
||||||
{
|
{
|
||||||
$ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim()
|
$TrimmedObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim()
|
||||||
|
# Check if the parentheses are balanced before permenantly trimming
|
||||||
|
$Balanced = $True
|
||||||
|
$Counter = 0
|
||||||
|
ForEach($char in $TrimmedObfuscatedToken.ToCharArray()) {
|
||||||
|
If($char -eq '(') {
|
||||||
|
$Counter = $Counter + 1
|
||||||
|
}
|
||||||
|
ElseIf($char -eq ')') {
|
||||||
|
If($Counter -eq 0) {
|
||||||
|
$Balanced = $False
|
||||||
|
break
|
||||||
|
}
|
||||||
|
Else {
|
||||||
|
$Counter = $Counter - 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# If parantheses are balanced, we can safely trim the parentheses
|
||||||
|
If($Balanced -and $Counter -eq 0) {
|
||||||
|
$ObfuscatedToken = $TrimmedObfuscatedToken
|
||||||
|
}
|
||||||
|
# If parentheses cannot be trimmed, break out of loop
|
||||||
|
Else {
|
||||||
|
break
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1157,6 +1181,9 @@ http://www.danielbohannon.com
|
||||||
$SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString)
|
$SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString)
|
||||||
|
|
||||||
If(($Token.Content.ToLower() -eq 'invoke') `
|
If(($Token.Content.ToLower() -eq 'invoke') `
|
||||||
|
-OR ($Token.Content.ToLower() -eq 'computehash') `
|
||||||
|
-OR ($Token.Content.ToLower() -eq 'tobase64string') `
|
||||||
|
-OR ($Token.Content.ToLower() -eq 'getstring') `
|
||||||
-OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) `
|
-OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) `
|
||||||
-OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) `
|
-OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) `
|
||||||
-AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')')))))))
|
-AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')')))))))
|
||||||
|
|
|
@ -42,17 +42,17 @@ elif lsb_release -d | grep -q "Kali"; then
|
||||||
pip install zlib_wrapper
|
pip install zlib_wrapper
|
||||||
pip install netifaces
|
pip install netifaces
|
||||||
if ! which powershell > /dev/null; then
|
if ! which powershell > /dev/null; then
|
||||||
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
|
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
|
||||||
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
|
|
||||||
wget http://ftp.debian.org/debian/pool/main/i/icu/libicu52_52.1-8+deb8u5_amd64.deb
|
|
||||||
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
dpkg -i libicu52_52.1-8+deb8u5_amd64.deb
|
wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
|
apt-get install -y libunwind8
|
||||||
|
dpkg -i libicu55_55.1-7_amd64.deb
|
||||||
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
apt-get install -y apt-transport-https
|
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
apt-get update
|
apt-get install -f -y
|
||||||
apt-get install -y powershell
|
rm libicu55_55.1-7_amd64.deb
|
||||||
rm libicu52_52.1-8+deb8u5_amd64.deb
|
|
||||||
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
|
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
fi
|
fi
|
||||||
mkdir -p /usr/local/share/powershell/Modules
|
mkdir -p /usr/local/share/powershell/Modules
|
||||||
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
|
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
|
||||||
|
@ -72,11 +72,17 @@ elif lsb_release -d | grep -q "Ubuntu"; then
|
||||||
pip install zlib_wrapper
|
pip install zlib_wrapper
|
||||||
pip install netifaces
|
pip install netifaces
|
||||||
if ! which powershell > /dev/null; then
|
if ! which powershell > /dev/null; then
|
||||||
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
|
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
|
||||||
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
|
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
apt-get install -y apt-transport-https
|
wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
apt-get update
|
apt-get install -y libunwind8
|
||||||
apt-get install -y powershell
|
dpkg -i libicu55_55.1-7_amd64.deb
|
||||||
|
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
|
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
|
apt-get install -f -y
|
||||||
|
rm libicu55_55.1-7_amd64.deb
|
||||||
|
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
|
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
fi
|
fi
|
||||||
mkdir -p /usr/local/share/powershell/Modules
|
mkdir -p /usr/local/share/powershell/Modules
|
||||||
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
|
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
|
||||||
|
@ -96,11 +102,17 @@ else
|
||||||
pip install zlib_wrapper
|
pip install zlib_wrapper
|
||||||
pip install netifaces
|
pip install netifaces
|
||||||
if ! which powershell > /dev/null; then
|
if ! which powershell > /dev/null; then
|
||||||
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
|
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
|
||||||
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
|
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
apt-get install -y apt-transport-https
|
wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
apt-get update
|
apt-get install -y libunwind8
|
||||||
apt-get install -y powershell
|
dpkg -i libicu55_55.1-7_amd64.deb
|
||||||
|
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
|
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
|
apt-get install -f -y
|
||||||
|
rm libicu55_55.1-7_amd64.deb
|
||||||
|
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
|
||||||
|
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
|
||||||
fi
|
fi
|
||||||
mkdir -p /usr/local/share/powershell/Modules
|
mkdir -p /usr/local/share/powershell/Modules
|
||||||
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
|
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
|
||||||
|
|
Loading…
Reference in New Issue